Security Flaws in Chrome Extensions: The Hidden Dangers of Hardcoded Credentials

Hardcoded credentials—API keys, secrets, or tokens located directly in a browser extension’s JavaScript—rank among the most significant security oversights in modern development. Once published, these secrets are exposed to anyone who cares to look; an attacker needs only inspect the extension package to extract them. From there, the attacker can craft malicious requests—ranging from spamming analytics with bogus events to commandeering paid cloud services, incurring fees, and undermining user privacy. In this blog, we will examine individual examples drawn from popular Chrome extensions, noting the specific code snippets that reveal each secret and explaining the associated risks.

Avast Online Security & Privacy / AVG Online Security

The Avast Online Security & Privacy extension (7,000,000+ users) and AVG Online Security (600,000+ users) share similar code, each containing a hardcoded Google Analytics 4 (GA4) API secret (Figure 1). 

Because the secret (GA4_API_SECRET) is appended to the URL, any attacker who discovers it could bombard the GA4 endpoint with spurious events, corrupting metrics or inflating analytics costs. AVG Online Security reveals a virtually identical pattern in its code. Both extensions demonstrate how embedding a private key in the client code can lead to large-scale data pollution or unauthorized access to analytics resources.

Equatio – Math Made Digital

With over 5,000,000 users, Equatio – Math Made Digital embeds an Azure API key used for speech recognition, as seen in Figure 2.

Because the key resides in window.equatioAzureApiKey, anyone inspecting or debugging the extension can clearly see it. The code snippet shown in Figure 2 shows that Equatio calls fromSubscription(...) with the key to initialize Microsoft Azure’s speech-to-text service. If a malicious user replays or spams these calls, the developer’s Azure subscription could see inflated costs or usage exhaustion.

Awesome Screen Recorder & Screenshot / Scrolling Screenshot Tool & Screen Capture

Both Awesome Screen Recorder & Screenshot (3,000,000+ users) and Scrolling Screenshot Tool & Screen Capture (400,000+ users) use virtually the same snippet for AWS S3 uploads, exposing the developer’s AWS access key (Figure 3).

In both extensions, the embedded key is used to upload screenshots or images to the developer’s S3 bucket. Because the credentials appear in plain text, an attacker could script uploads to the same bucket—potentially hosting illegal content, pushing malicious files, or even pivoting to other AWS resources if the credentials have broader permissions. Essentially, a few lines of JavaScript here undermine the entire AWS environment’s security posture.

Microsoft Editor – Spelling & Grammar Checker

Microsoft Editor (2,000,000+ users) reveals a telemetry key called StatsApiKey. In the code shown in Figure 4, the extension uses that key to log user data for analytics. 

Anyone with this key can generate spoofed telemetry data, polluting Microsoft’s analytics and potentially sabotaging any usage insights the developer relies upon. Worse, if the logging system imposes cost or rate limits, mass abuse can drain resources or lock the developer out of their own analytics suite.

Antidote Connector - InboxSDK

A significant security risk has been uncovered in over 90 Chrome extensions that use the third-party library InboxSDK, which contains hardcoded credentials. These credentials, including API keys, are often exposed directly in the source code, leaving the extensions vulnerable to exploitation. For instance, the popular extension Antidote Connector, with over 1,000,000 users, includes this third-party library for certain Gmail requests. In the example shown in Figure 5, we see how this API key is inserted directly into the header for communication with Google services.

The problem stems from the fact that these hardcoded credentials are accessible to anyone who inspects the extension's code. In the case of InboxSDK, the Google API key is attached to each request using 'x-goog-api-key': googleApiKey. This makes it easy for an attacker to replicate the request headers, potentially allowing them to access or manipulate Gmail data, or even spam Google’s endpoints until the developer’s usage quota is exhausted or blacklisted. Given that this vulnerability exists in over 90 extensions using InboxSDK, the issue poses a wide-reaching threat that extends beyond just a single extension. Antidote Connector has since resolved the flaw in its latest version, removing the hard-coded key and adopting a more secure authentication flow.

Watch2Gether

Watch2Gether (1,000,000+ users) leaks a Tenor GIF search API key (Figure 6).

Although Tenor is “just GIFs,” usage can still cost money or trigger rate limits if spammed at scale. Moreover, spamming large volumes of search requests could cause the developer’s account to get banned from the Tenor API. This example shows that even a seemingly benign, entertainment-related key can lead to real consequences. Watch2Gether has since patched the problem in their latest release, eliminating the exposed key and moving authentication to a more secure flow.

Trust Wallet

In Trust Wallet (1,000,000+ users), the code reveals a fiat ramps API key (Figure 7).

This key is concatenated into a string used to produce a signature for crypto purchase quotes. If an attacker duplicates the extension’s logic, they could generate authentic-looking requests to buy or sell cryptocurrency on behalf of unsuspecting users, or intercept real transactions to manipulate the quotes. This scenario is especially concerning because it touches on financial data and transactions.

TravelArrow – Your Virtual Travel Agent

Rounding out these examples, TravelArrow (300,000+ users) exposes a geolocation API key (Figure 8).

Using this key, the extension makes location queries to ip-api.com. If attackers replicate the calls or send them in large volumes, they could drive up usage, potentially leaving the TravelArrow developer with hefty bills or disabled API access. Even an API used primarily for location can be abused when key-based metering or quotas are in play.

Conclusion

From GA4 analytics secrets to Azure speech keys, and from AWS S3 credentials to Google-specific tokens, each of these snippets demonstrates how a few lines of code can jeopardize an entire service. The solution: never store sensitive credentials on the client side. Instead, route privileged operations through a secure backend server, where secrets remain protected behind environment variables or secret management systems. Regular key rotation, usage monitoring, and the principle of least privilege will further minimize risk. By removing exposed secrets from their extensions, developers keep user trust intact, avoid financial losses, and ensure more reliable analytics for their products.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Symantec recommends users follow these best practices to stay protected from browser extension threats:

• Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data
• Refrain from downloading extensions from unfamiliar sites and only install extensions from trusted sources
• Pay close attention to the permissions that extensions request
• Make frequent backups of important data

Appendix